Posted
by
samzenpus
on Sunday August 03, 2014 @05:23PM
from the for-everyone's-eyes dept.

wiredmikey writes Mozilla warned on Friday that it had mistakenly exposed information on almost 80,000 members of its Mozilla Developer Network (MDN) as a result of a botched data sanitization process. The discovery was made around June 22 by one of Mozilla's Web developers, Stormy Peters, Director of Developer Relations at Mozilla, said in a security advisory posted to the Mozilla Security Blog on Friday. "Starting on about June 23, for a period of 30 days, a data sanitization process of the Mozilla Developer Network (MDN) site database had been failing, resulting in the accidental disclosure of MDN email addresses of about 76,000 users and encrypted passwords of about 4,000 users on a publicly accessible server," Peters wrote. According to Peters, the encrypted passwords were salted hashes and they by themselves cannot currently be used to authenticate with the MDN. However, Peters warned that MDN users may be at risk if they reused their original MDN passwords on other non-Mozilla websites or authentication systems.

How often do hear news stories about leaks with encrypted passwords that are properly salted?:)
How often does anybody admit a possible leak, when there is no evidence anybody downloaded the database dump...?
Really, how often do you hear about things like this, if discovered internally?

I agree, it's the decent thing to do, but I don't think you can expect this level of detail, openness and honesty from commercial players.
I can't imagine any organization that wouldn't sweep this under the rug, after all it was discovered internally.

It makes me wonder why the hell they aren't doing any better.

Avoiding a leak would certainly have been preferred. But mistakes happens, processes fails.

What the GP said was not "we should commend them", but "in their defense".

It's a valid defense: they fucked up, they noticed, they cleaned up what they could, and they admitted their mistake and advised people appropriately. That doesn't make their mistake go away, but it changes it from Badness Level 50 (eBay) to Badness Level 30 (Target).

If even a tiny fraction of the people who bitch about their mistakes actually acted then things would be much better and you would have to find something else to complain about.

I do do something about it. You don't see this kind of leak nonsense from any product I've ever worked on. I expect developers elsewhere to be equally professional. User credential data (and personal info) is important, and development processes need to be more careful around it.

Oh? Shame you haven't helped others like Mozilla with that. It would sure be nice if you could spread your magical immunity from human error out to others, but apparently you're too professional to share that wisdom.

Best practices for avoiding leaks of important stuff are well known (and, really, Mozilla didn't suck here). But they had insufficient code or process review somewhere, to have had this leak. Normally, I'm all for rapid, agile development, but when it comes to the important stuff don't do that. Go slow. Get 20 people to review the change. Come back after a week or a month and review it again. It's important, don't rush it. There's very little most of us work on that's actually important, since most p

Are you suggesting that it's only valid criticism if you've actually tried to improve things? Does that mean that I can't criticise the condition of roads as I've never tried to repair them myself? I'm not allowed to criticise rich bankers as I've never tried to run a banking institution?

The name "Mozilla" used to be among the most respected names in computing. It represented integrity, honesty, innovation, and quality software.

Bugzilla was one of their first successes. It was widely used during the early 2000s, and some development teams still use it to this day. It's the kind of tool that helped make a lot of software development teams a lot more efficient, and it helped users do what they could to get a better experience out of the software they were using. People's lives were made bette

Well, I think the GP could be right. Hipsters have done a pretty damn good job of destroying GNOME 3, Windows 8, iOS 7, and Firefox. Given how they've managed to harm or kill prominent and widely used software systems like those, I don't see why civilization itself wouldn't be next!

Have you actually used IE 11? Its UI is kind of in the dumps, but underneath it's actually a pretty good browsers these days. It's fast, it's standards compliant, and it works. It's not as good as Chrome, but it's a huge step up

I honestly think Firefox fans are so caught up in the trivium that they've forgotten how good the browser really is, or how much it's sincerely improved over the years.

[citation needed]

I can't see anything that's improved in Firefox since they went Full Metal Retard a few years ago. They've screwed up the UI, they've added new bugs, they've neglected to fix old ones. All they've succeeded at is rapidly increasing the version number.

I dread a new Firefox release, because I know they'll have fcsked up something else.

I can't see anything that's improved in Firefox since they went Full Metal Retard a few years ago. They've screwed up the UI, they've added new bugs, they've neglected to fix old ones.

What are you talking about? Firefox is now faster than Chrome, uses less memory, and has Odin Monkey.
Mozilla is a non-profit organization that is dedicated to privacy. Google is a data mining company that has begun moving towards more-closed types of projects (killing RSS, XMPP integration, etc.).
Anyone that cares about technology freedom and privacy should be using supporting Mozilla.

What happened is that they can no longer fight the good fight on their own like they could when it was just them, the like-minded Opera, and a Microsoft who cared nothing about the situation and let their own browser rot. Now they have Google, Apple, and Microsoft to face off against, and an increasingly useless fanbase who just see the negatives and don't even want to pitch in anymore.

You try stopping Google when they say "jump". At least Mozilla stands up to them and tries to effect change. Everyone else

I know, I know: it's tough. We all have day jobs and that's why we want Mozilla to be a magical shield for us. But times have changed, and we clearly haven't. Mozilla tried to, but they clearly can't do it on their own anymore. So it's high time we actually did something too. Yet all I hear is whining about UI changes and other constant melodrama over things not being as flawless as they once were (which they weren't; rose-colored glasses just makes you think they were, until you actually use an old version

Where do you get the "75%+" number that people hate the UX changes? For what it's worth, I've used Firefox for years as my primary browser; I've used Chrome and IE only as necessary to test websites (or to use websites that are so poorly coded that they don't work with Firefox), and when I upgraded to FF 29 with the new UI, it took me about 15 minutes to get acclimated.

I keep hearing people lump the FF UI redesign in with things like GNOME 3 and the Windows 8 start screen. But it's nothing like them; nothin

All this personal data? It's your email address... that's it. Because your email is used to log you in.They also leaked a hashed and salted password.

I keep hearing your argument, but I always ask myself... if you car that much, why did you surrender personal information in the first place??!? I've never been to any site other than facebook that actually required any personal information. Even then you can just put in bullshit.

Mozilla did everything right here... other than the breach itself of course. Mistakes happen, and with properly Hashed/Salted passwords and quick and full disclosure those mistakes don't have to be serious.

"We traced back as much as we could. Access logs, netflow data, etc.," the user wrote. "We found that the tar.gz containing the DB dump had been downloaded only a small number of times. Mostly by known contributors. But we can't rule out that someone with malicious intentions got access to it."

Or... you could throw your toys out of your cot and post a rant condemning Mozilla.

You're obviously not effected by this either or you would already know the answers to your questions because they emailed everyone effected about it already.

The Eich issue showed the world that Mozilla is chock full of the same sentiment. And Mozilla's lost so much market share that they're only a bit player now. When push comes to shove, their "Real Work" is not cutting the mustard.

Au Contraire! Per the summary, she found the problem on June 22nd - one day before it even started! That's amazing work! She should be commended for finding it so early. On the other hand, why she let it go on for 30 days when she found it before it started is anyone's guess. Maybe someone should learn to write a summary (one massively long run on there). Perhaps someone should fact check said summary too.

I find it rather laughable that mostly everyone in the comments has taken a "forgive and forget" attitude in regards to this post. I love Mozilla...as a developer who uses their mdn site actively, I applaud their active involvement in creating awareness of their mistake so people like me can take measures in protecting their accounts, however, if it was another company, most of these comments would be lambasting this breach of security and protocol on their part. That being said, I'm confident that Mozilla

Are ignorance, negligence, or arrogance better reasons not to behavior professionally and follow accepted best practices?

Sure, maybe I could have reviewed the code personally since, I assume, it's open source (as are, I assume all the administration scripts they use? Yeh, right). But, I probably use, directly or indirectly, nearly a billion lines of code every year - I really don't have time to review each change any more than I have the resources or interest to test each gallon of gasoline I put in my car

Neither of the two links in TFS mentioned what kind of hash was being used. Does anyone happen to know? If it was the old fashioned DES hash as commonly used in.htpasswd, it may well be plaintext. If it was crypt('$5$xxxxxxxxxxxx' SHA, it's only a concern for people who chose very bad passwords.

DES is the encryption standard which is the basis of what for many years was the most common type of hash.For DES-based hashing, as used in.htpasswd files, the least significant bits of the first eight characters are used as a 56-bit key. This key (the users password) is used to encrypt a null bytes, 25 times. crypt(3) accepts a two-character salt, but uses only the lowest six bits of each character, so it's a 12 bit salt and a 56 bit password (maximum).

crypt(3) can also support better hash algorthims by passing salt values such as $1$xxxxxxxx$ or $5$xxxxxxxxxxxx$

Not clear why you would use an encryption scheme to do hashing, though-- my understanding is that while both should have good hash characteristics (small changes in plaintext should cascade into large changes in the secured form), purpose-designed hash algorithms will generally be more resistant to attack than encryption schemes, and often faster.

A good encryption algorithm cannot be reversed without knowing the key, and a hash shouldn't be reversible, so a good encryption is a good basis for a hash. For PASSWORD hashing you don't use just the primitive, whether that primitive is DES or MD5. You do many rounds, with salt.

If you're not kidding about MD5, DES was in use twelve years before Rivest proposed MD2. Maybe 20 years before MD5, I don't remember the exact year for MD5.

I should clarify that DES itself specifies a key length of 56 bits. To get more bits, you do DES three times*, which is called Triple DES or 3DES. If you use three different 56-bit keys, that's effectively a 112 bit key due to meet-in-the-middle, and that's strong for an another fifteen years.

...that would think it was okay to screw over users with a new UI and not continue to provide security and stability updates for a few years to those who didn't want a new broken UI (something few successful commercial enterprise companies have managed to do). Or, thought it was okay to, a few days ago, push an update which either broke the UI further or broke a popular add-on that many of us were using to work around their earlier mistake.

Back in the day you'd count yourself lucky be be dumped onto a server to play a serious of deadly games on an electric matrix in the hopes of finally having a face off with the Overseer of Games, who looks just like your dick-head suspender wearing boss who always asking you to "ummmm yeah, come in on Saturday mmmm'kay?" like a question, as if you could actually say no, in heated one on one combat, only to ultimately prevail when you send a blazing disk straight through his face and watch in rapt glee as h

Maybe I'm missing something here, but if the data is a salted hash, they cannot recover it in any reasonable time, especially if they don't know the hashing algorithm used. Even if they do know the hashing scheme it is likely that any password that isn't a dictionary word won't be recovered in this decade, so why would it matter if they used the same password on another website?